Description
Subscriber PHP Object Injection in Buddyboss Platform <= 3.0.4 versions.
Published: 2026-06-26
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

BuddyBoss Platform for WordPress versions up to 3.0.4 contains a flaw that allows an attacker to inject a crafted PHP object during subscriber operations. The vulnerability is a deserialization issue that can lead to execution of arbitrary PHP code within the context of the web application, potentially compromising the site’s confidentiality, integrity and availability.

Affected Systems

WordPress installations that include the Buddyboss Platform plugin version 3.0.4 or earlier are affected. The issue resides in the BuddyBoss Platform component of the BuddyBoss suite.

Risk and Exploitability

The CVSS score of 9.8 marks this flaw as critical, indicating a high potential for exploitation. Although EPSS data is not available and it is not listed in the CISA KEV catalog, the impact rating suggests that public sites that have not applied the 3.0.5 fix are at significant risk of exploitation.

Generated by OpenCVE AI on June 26, 2026 at 17:49 UTC.

Remediation

Vendor Solution

Update the WordPress Buddyboss Platform Plugin to the latest available version (at least 3.0.5).

OpenCVE Recommended Actions

  • Update the BuddyBoss Platform plugin to version 3.0.5 or later, which removes the deserialization vulnerability.
  • If the update cannot be performed immediately, disable or uninstall the BuddyBoss Platform plugin until a patched version is available.
  • Deploy a web application firewall rule that blocks suspicious PHP object deserialization payloads and signs of object injection attempts.

Generated by OpenCVE AI on June 26, 2026 at 17:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Buddyboss
Buddyboss buddyboss Platform
Wordpress
Wordpress wordpress
Vendors & Products Buddyboss
Buddyboss buddyboss Platform
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Subscriber PHP Object Injection in Buddyboss Platform <= 3.0.4 versions.
Title WordPress Buddyboss Platform plugin <= 3.0.4 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Buddyboss Buddyboss Platform
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:34:59.413Z

Reserved: 2026-06-18T14:37:29.430Z

Link: CVE-2026-56032

cve-icon Vulnrichment

Updated: 2026-06-26T15:34:42.856Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T19:45:04Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data